據(jù)報道,由好萊塢巨星馬特·達蒙代言的虛擬幣交易所Crypto.com在近期遭到了黑客攻擊。該交易所成立已經(jīng)有五年,馬特·達蒙也是它的投資人之一。
1月17日上午,Crypto.com在其官方推特(Twitter)上表示:“據(jù)少數(shù)用戶報稱,他們的賬戶上出現(xiàn)了可疑活動?!睘榇_保用戶資金安全,該公司已經(jīng)暫停了提現(xiàn)功能,并就此事展開了調(diào)查。當(dāng)時Crypto.com還稱“所有資金都是安全的”。
到了1月18日上午,該公司又在官方推特上宣布,公司已經(jīng)恢復(fù)了所有提現(xiàn)服務(wù),并再次聲明沒有任何客戶資產(chǎn)損失。該公司的首席執(zhí)行官克里斯·馬爾沙韋克也在其個人推特賬號上表示,公司已經(jīng)針對此事加強了安全設(shè)施,并將在“內(nèi)部調(diào)查完成后公布完整的調(diào)查報告”。
在過去24小時里,我有一些想法:
-客戶資金沒有損失
-提現(xiàn)功能暫停了14個小時
-我們的團隊已經(jīng)針對此事加強了安全設(shè)施
我們將在內(nèi)部調(diào)查結(jié)束后公布完整的調(diào)查報告。
——克里斯 | Crypto.com (@Kris_HK),2022年1月18日
雖然Crypto.com宣稱所有客戶資金都是安全的,但很多人都在推特上對此表示質(zhì)疑。比如1月19日早上,中國的區(qū)塊鏈安全公司派盾科技就爆料稱,Crypto.com實際上丟失了1500萬美元的資產(chǎn)?!八鼡p失了至少4600枚以太幣(Ether),其中半數(shù)已經(jīng)通過Tornado Cash混幣平臺洗白?!盩ornado Cash是一個去中心化的智能合約平臺,允許用戶在以太幣區(qū)塊鏈上進行匿名交易。派盾科技隨后還對虛擬幣網(wǎng)站Decrypt表示,Crypto.com真正的損失規(guī)模“絕對比這更嚴(yán)重”。
除此之外,還有多名用戶稱自己的賬號資金被盜。比如推特用戶@J8Arnold說:“所有資金并非都是安全的。我的賬戶出現(xiàn)了未經(jīng)我授權(quán)的比特幣(Bitcoin)提現(xiàn)。這些資金還沒有返還給我……我一直采取的是密碼+雙重認證模式?!痹撚脩羯形椿貞?yīng)《財富》雜志的評論請求。
有行業(yè)分析師認為,派盾科技評估的損失很可能是準(zhǔn)確的。虛擬幣交易分析機構(gòu)Crystal Blockchain的調(diào)查總監(jiān)斯科特·龐德指出,區(qū)塊鏈數(shù)據(jù)顯示,有“一大筆”資產(chǎn)被從Crypto.com上提走,轉(zhuǎn)入了一個錢包,然后又被轉(zhuǎn)入了一個混幣平臺。這一系列活動“很明顯表明發(fā)生了黑客攻擊”,而且這是一次集中化的黑客攻擊,只是目前無法證實是否涉及用戶的資產(chǎn)。區(qū)塊鏈分析公司Nansen Alpha的研究分析師邱永利(音譯)表示,他交叉引用了來自區(qū)塊鏈監(jiān)測平臺CertiK等來源的數(shù)據(jù),發(fā)現(xiàn)有282個用戶錢包在此事件中受到了影響。
除了在推特上的官方聲明外,Crypto.com拒絕對此事做進一步評論。Crypto.com是在香港和新加坡注冊的,2021年它豪擲10億美元開展?fàn)I銷宣傳,讓它在全世界聲名雀起,迅速成為全球首屈一指的虛擬幣交易所。2021年11月,Crypto.com簽署了一份7億美元的合同,將美國職業(yè)籃球聯(lián)賽(National Basketball Association)的洛杉磯湖人隊(Los Angeles Lakers)和洛杉磯快船隊(Los Angeles Clippers)的主場——斯臺普斯中心(Staples Center)正式更名為Crypto.com球場。它還請馬特·達蒙拍了一系列廣告,與終極格斗錦標(biāo)賽(Ultimate Fighting Championship)、 F1方程式錦標(biāo)賽(Formula 1)和多家曲棍球、足球、橄欖球俱樂部簽署了一系列合作協(xié)議,總計耗資約5億美元。
不過Crypto.com仍然是盈利的,而且它的收入在過去12個月里飆升了2000%。2021年12月,該公司的首席執(zhí)行官克里斯·馬爾沙韋克在接受《財富》雜志采訪時表示,該公司2021年4至6月的當(dāng)季收入達到了5億美元。自1月17日以來,Cryto.com自家發(fā)行的CRO幣已經(jīng)下跌了大約3.5%。
此次事件也表明,網(wǎng)絡(luò)黑客已經(jīng)將更多目光瞄準(zhǔn)了財大氣粗的虛擬幣企業(yè),尤其是像Crypto.com這樣的集中化交易所和去中心化金融服務(wù)企業(yè)。據(jù)區(qū)塊鏈分析公司Chainalysis今年1月的一份報告顯示,2021年,網(wǎng)絡(luò)黑客通過詐騙和竊取等手段,累計盜取了價值140億美元的虛擬幣資產(chǎn),創(chuàng)下歷史新高,較2020年增長了79%。
就在2021年12月,一伙“虛擬幣大盜”成功地從注冊在開曼群島的虛擬幣交易所BitMart盜走了2億美元的用戶資產(chǎn)。這伙犯罪分子先是盜取了兩個“熱錢包”的私鑰(所謂“熱錢包”是指基于互聯(lián)網(wǎng)的一種虛擬幣的數(shù)字化存儲方式),然后轉(zhuǎn)走了錢包里的數(shù)字資產(chǎn)。2021年夏天,網(wǎng)絡(luò)黑客更是從去中心化金融服務(wù)平臺Poly Network那里一次盜走6億美元資產(chǎn),創(chuàng)下幣圈歷史之最——但隨即又返還了這筆數(shù)字資產(chǎn)。2021年10月,在納斯達克(Nasdaq)上市的虛擬幣交易所Coinbase對6000余名客戶表示,他們的賬戶被侵入了,黑客利用了該平臺SMS賬號恢復(fù)進程的一個漏洞,獲得了一個雙重認證標(biāo)記,從而進入了這些賬號。
區(qū)塊鏈分析公司Elliptic的聯(lián)合創(chuàng)始人、首席科學(xué)家湯姆·羅賓遜指出,通常說來,黑客之所以能夠黑入虛擬幣交易所,是因為他“能夠訪問交易所的內(nèi)部系并且提取資產(chǎn)。賬戶接管也是可能發(fā)生的,比如說,黑客可以通過網(wǎng)絡(luò)釣魚獲取用戶的登陸信息,從而黑入交易所平臺的用戶賬號。”邱永利也表示,像BitMart和Crypto.com這種虛擬幣交易所會把用戶資產(chǎn)儲存在“熱錢包”里,這樣雖然方便了客戶,但也更容易被盜。
龐德認為,由于其工作性質(zhì),虛擬幣交易所必然會繼續(xù)成為黑客襲擊的目標(biāo)。不過羅賓遜指出,近期虛擬幣被盜事件高發(fā)的主要原因,是黑客利用了去中心化金融的DeFi協(xié)議。去中心化金融服務(wù)不需要交易所,而是建立在區(qū)塊鏈平臺上的,這就使黑客能夠利用網(wǎng)絡(luò)的設(shè)計缺陷或編碼錯誤實施襲擊。
據(jù)美國消費者新聞與商業(yè)頻道(CNBC)上周報道,在遭到襲擊后,BitMart承諾將自掏腰包賠償用戶的損失。然而五個星期過去了,一些用戶仍然沒有收到交易所的補償款,也未收到關(guān)于此事的進一步通知。Coinbase還承諾將出資補償6000名受影響的用戶。
虛擬幣服務(wù)提供商Eqonex的機構(gòu)銷售經(jīng)理賈斯汀·丹尼森認為,Crypto.com很可能也會選擇自掏腰包補償用戶?!八型顿Y者的損失可能都會被全額補償,因為公司負擔(dān)得起?!保ㄘ敻恢形木W(wǎng))
譯者:樸成奎
據(jù)報道,由好萊塢巨星馬特·達蒙代言的虛擬幣交易所Crypto.com在近期遭到了黑客攻擊。該交易所成立已經(jīng)有五年,馬特·達蒙也是它的投資人之一。
1月17日上午,Crypto.com在其官方推特(Twitter)上表示:“據(jù)少數(shù)用戶報稱,他們的賬戶上出現(xiàn)了可疑活動?!睘榇_保用戶資金安全,該公司已經(jīng)暫停了提現(xiàn)功能,并就此事展開了調(diào)查。當(dāng)時Crypto.com還稱“所有資金都是安全的”。
到了1月18日上午,該公司又在官方推特上宣布,公司已經(jīng)恢復(fù)了所有提現(xiàn)服務(wù),并再次聲明沒有任何客戶資產(chǎn)損失。該公司的首席執(zhí)行官克里斯·馬爾沙韋克也在其個人推特賬號上表示,公司已經(jīng)針對此事加強了安全設(shè)施,并將在“內(nèi)部調(diào)查完成后公布完整的調(diào)查報告”。
在過去24小時里,我有一些想法:
-客戶資金沒有損失
-提現(xiàn)功能暫停了14個小時
-我們的團隊已經(jīng)針對此事加強了安全設(shè)施
我們將在內(nèi)部調(diào)查結(jié)束后公布完整的調(diào)查報告。
——克里斯 | Crypto.com (@Kris_HK),2022年1月18日
雖然Crypto.com宣稱所有客戶資金都是安全的,但很多人都在推特上對此表示質(zhì)疑。比如1月19日早上,中國的區(qū)塊鏈安全公司派盾科技就爆料稱,Crypto.com實際上丟失了1500萬美元的資產(chǎn)?!八鼡p失了至少4600枚以太幣(Ether),其中半數(shù)已經(jīng)通過Tornado Cash混幣平臺洗白?!盩ornado Cash是一個去中心化的智能合約平臺,允許用戶在以太幣區(qū)塊鏈上進行匿名交易。派盾科技隨后還對虛擬幣網(wǎng)站Decrypt表示,Crypto.com真正的損失規(guī)?!敖^對比這更嚴(yán)重”。
除此之外,還有多名用戶稱自己的賬號資金被盜。比如推特用戶@J8Arnold說:“所有資金并非都是安全的。我的賬戶出現(xiàn)了未經(jīng)我授權(quán)的比特幣(Bitcoin)提現(xiàn)。這些資金還沒有返還給我……我一直采取的是密碼+雙重認證模式。”該用戶尚未回應(yīng)《財富》雜志的評論請求。
有行業(yè)分析師認為,派盾科技評估的損失很可能是準(zhǔn)確的。虛擬幣交易分析機構(gòu)Crystal Blockchain的調(diào)查總監(jiān)斯科特·龐德指出,區(qū)塊鏈數(shù)據(jù)顯示,有“一大筆”資產(chǎn)被從Crypto.com上提走,轉(zhuǎn)入了一個錢包,然后又被轉(zhuǎn)入了一個混幣平臺。這一系列活動“很明顯表明發(fā)生了黑客攻擊”,而且這是一次集中化的黑客攻擊,只是目前無法證實是否涉及用戶的資產(chǎn)。區(qū)塊鏈分析公司Nansen Alpha的研究分析師邱永利(音譯)表示,他交叉引用了來自區(qū)塊鏈監(jiān)測平臺CertiK等來源的數(shù)據(jù),發(fā)現(xiàn)有282個用戶錢包在此事件中受到了影響。
除了在推特上的官方聲明外,Crypto.com拒絕對此事做進一步評論。Crypto.com是在香港和新加坡注冊的,2021年它豪擲10億美元開展?fàn)I銷宣傳,讓它在全世界聲名雀起,迅速成為全球首屈一指的虛擬幣交易所。2021年11月,Crypto.com簽署了一份7億美元的合同,將美國職業(yè)籃球聯(lián)賽(National Basketball Association)的洛杉磯湖人隊(Los Angeles Lakers)和洛杉磯快船隊(Los Angeles Clippers)的主場——斯臺普斯中心(Staples Center)正式更名為Crypto.com球場。它還請馬特·達蒙拍了一系列廣告,與終極格斗錦標(biāo)賽(Ultimate Fighting Championship)、 F1方程式錦標(biāo)賽(Formula 1)和多家曲棍球、足球、橄欖球俱樂部簽署了一系列合作協(xié)議,總計耗資約5億美元。
不過Crypto.com仍然是盈利的,而且它的收入在過去12個月里飆升了2000%。2021年12月,該公司的首席執(zhí)行官克里斯·馬爾沙韋克在接受《財富》雜志采訪時表示,該公司2021年4至6月的當(dāng)季收入達到了5億美元。自1月17日以來,Cryto.com自家發(fā)行的CRO幣已經(jīng)下跌了大約3.5%。
此次事件也表明,網(wǎng)絡(luò)黑客已經(jīng)將更多目光瞄準(zhǔn)了財大氣粗的虛擬幣企業(yè),尤其是像Crypto.com這樣的集中化交易所和去中心化金融服務(wù)企業(yè)。據(jù)區(qū)塊鏈分析公司Chainalysis今年1月的一份報告顯示,2021年,網(wǎng)絡(luò)黑客通過詐騙和竊取等手段,累計盜取了價值140億美元的虛擬幣資產(chǎn),創(chuàng)下歷史新高,較2020年增長了79%。
就在2021年12月,一伙“虛擬幣大盜”成功地從注冊在開曼群島的虛擬幣交易所BitMart盜走了2億美元的用戶資產(chǎn)。這伙犯罪分子先是盜取了兩個“熱錢包”的私鑰(所謂“熱錢包”是指基于互聯(lián)網(wǎng)的一種虛擬幣的數(shù)字化存儲方式),然后轉(zhuǎn)走了錢包里的數(shù)字資產(chǎn)。2021年夏天,網(wǎng)絡(luò)黑客更是從去中心化金融服務(wù)平臺Poly Network那里一次盜走6億美元資產(chǎn),創(chuàng)下幣圈歷史之最——但隨即又返還了這筆數(shù)字資產(chǎn)。2021年10月,在納斯達克(Nasdaq)上市的虛擬幣交易所Coinbase對6000余名客戶表示,他們的賬戶被侵入了,黑客利用了該平臺SMS賬號恢復(fù)進程的一個漏洞,獲得了一個雙重認證標(biāo)記,從而進入了這些賬號。
區(qū)塊鏈分析公司Elliptic的聯(lián)合創(chuàng)始人、首席科學(xué)家湯姆·羅賓遜指出,通常說來,黑客之所以能夠黑入虛擬幣交易所,是因為他“能夠訪問交易所的內(nèi)部系并且提取資產(chǎn)。賬戶接管也是可能發(fā)生的,比如說,黑客可以通過網(wǎng)絡(luò)釣魚獲取用戶的登陸信息,從而黑入交易所平臺的用戶賬號。”邱永利也表示,像BitMart和Crypto.com這種虛擬幣交易所會把用戶資產(chǎn)儲存在“熱錢包”里,這樣雖然方便了客戶,但也更容易被盜。
龐德認為,由于其工作性質(zhì),虛擬幣交易所必然會繼續(xù)成為黑客襲擊的目標(biāo)。不過羅賓遜指出,近期虛擬幣被盜事件高發(fā)的主要原因,是黑客利用了去中心化金融的DeFi協(xié)議。去中心化金融服務(wù)不需要交易所,而是建立在區(qū)塊鏈平臺上的,這就使黑客能夠利用網(wǎng)絡(luò)的設(shè)計缺陷或編碼錯誤實施襲擊。
據(jù)美國消費者新聞與商業(yè)頻道(CNBC)上周報道,在遭到襲擊后,BitMart承諾將自掏腰包賠償用戶的損失。然而五個星期過去了,一些用戶仍然沒有收到交易所的補償款,也未收到關(guān)于此事的進一步通知。Coinbase還承諾將出資補償6000名受影響的用戶。
虛擬幣服務(wù)提供商Eqonex的機構(gòu)銷售經(jīng)理賈斯汀·丹尼森認為,Crypto.com很可能也會選擇自掏腰包補償用戶?!八型顿Y者的損失可能都會被全額補償,因為公司負擔(dān)得起。”(財富中文網(wǎng))
譯者:樸成奎
Crypto.com, the five-year-old cryptocurrency exchange which boasts Hollywood superstar Matt Damon as the face of the company (and as an investor), has allegedly been hacked.
On January 17 morning, Crypto.com announced via Twitter: "We have a small number of users reporting suspicious activity on their accounts." In response, the company paused withdrawals, to ensure the safety of user funds and launched an investigation, it said. Crypto.com said at the time that "all funds are safe."
On January 18 morning, the company tweeted that it had restored all withdrawal services," stating again that no customer funds were lost. Crypto.com CEO Kris Marszalek tweeted via his personal account that the firm has strengthened its security infrastructure in response to the incident and will "share a full post mortem after the internal investigation is completed."
Some thoughts from me on the last 24 hours:
- no customer funds were lost
- the downtime of withdrawal infra was ~14 hours
- our team has hardened the infrastructure in response to the incident
We will share a full post mortem after the internal investigation is completed.
— Kris | Crypto.com (@Kris_HK) January 18, 2022
Yet a series of subsequent tweets cast doubt on Crypto.com's claim that all user money remained safe. Peckshield, a China-based blockchain security firm, wrote on January 19 morning that Crypto.com actually lost $15 million of funds, "with at least 4.6K ETHs [Ether] and half of them are currently being washed via [Tornado Cash]," a decentralized smart contract platform that allows users to conduct anonymous transactions on the Ethereum blockchain. Peckshield subsequently told Decrypt?that the true scale of the damage is "definitely worse."
Meanwhile, several users like @J8Arnold said that he had funds stolen from his account. "All funds are not safe. I had BTC [Bitcoin] withdrawn from my account that I did not authorize. These funds have yet to be returned to me…I have always had passcode & [2-factor authentication] enabled," the user wrote. The user did not return Fortune's request for comment.
Industry analysts say Peckshield's assessment is likely accurate. The blockchain data shows that a "significant sum" was taken from Crypto.com and moved into one wallet, then rerouted to a mixer, says Scott Pounder, head of investigations at Crystal Blockchain, a crypto transaction analysis and compliance firm. This chain of events is "a fairly clear sign that a hack [took] place" and that the attack was centralized, though it can't be verified whether user funds were involved or not, says Pounder. Yong Li Khoo, a research analyst at blockchain analytics firm Nansen Alpha said that he cross-referenced the data from other sources like CertiK, a platform that monitors blockchain protocols, and found that 282 user wallets were affected in the alleged breach.
Crypto.com declined to comment beyond its official statements released on Twitter. The Hong Kong and Singapore-based platform became one of the world's top cryptocurrency exchanges last year after a $1 billion marketing offensive helped it gain recognition worldwide. Last November, Crypto.com inked a $700 million deal to emblazon its name on Los Angeles's iconic Staples Center—home of the National Basketball Association's (NBA) Los Angeles Lakers and Clippers. Before that, the company spent a collective $500 million on a series of commercials led by actor Matt Damon and a bevy of endorsement deals with the Ultimate Fighting Championship (UFC); motor racing championship Formula 1; and elite hockey, football and soccer clubs.
Crypto.com is profitable and its revenue has surged 2,000% in the last 12 months. In the April to June quarter this year, it recorded $500 million in revenue, Crypto.com CEO Kris Marszalek told Fortune in a conversation in December. The price of CRO (Crypto.com coin) has dropped roughly 3.5% since January 17.
The alleged Crypto.com hack is yet another indication of how digital scammers are increasingly targeting lucrative crypto businesses—particularly centralized exchanges like Crypto.com and decentralized finance, or DeFi services. Last year, cryptocurrency swindlers stole a record $14 billion—up 79% from 2020—via scams and theft, according to a January report from data and blockchain analytics firm Chainalysis.
Just in December 2021, crypto thieves made off with $200 million of customer funds from Cayman Islands-headquartered exchange BitMart. Scammers stole a private key to gain access to two 'hot wallets'—a type of Internet-enabled digital storage where cryptocurrencies are stored—and took the digital assets stored in the wallets. Last summer, hackers stole $600 million from DeFi platform Poly Network—the biggest crypto heist in history—but subsequently returned the digital assets. In October 2021, Nasdaq-listed Coinbase told 6,000 customers that their accounts were compromised; hackers exploited a flaw in the platform's SMS account recovery process to obtain a two-factor authentication token and access the accounts.
Thefts from cryptocurrency exchanges typically occur because a hacker is "able to access the exchange's internal systems, and withdraw funds. Account takeovers can also take place, where a hacker is able to access the accounts belonging to individuals users of an exchange... for example a user's login details might be obtained through a phishing attack," says Tom Robinson, co-founder and chief scientist at Elliptic, a blockchain analysis firm. Crypto exchanges like BitMart and Crypto.com, which store user assets in hot wallets, are more convenient for the customer, but are also more susceptible to theft, says Khoo.
Cryptocurrency exchanges will continue to be targeted due to the nature of their work, says Pounder. But the major explosion in crypto thefts took place due to hackers exploiting DeFi protocols, says Robinson. DeFi services remove the need for exchanges and are built on top of a blockchain platform, which allows hackers to take advantage of a design flaw or coding error in the network.
After its platform breach, BitMart promised to reimburse users via the company's own cash. Five weeks later, however, some users still haven't received any updates or money from the exchange, according to a CNBC?report last week. Coinbase also vowed to pay back its 6,000 affected users using its own funds.
Justin d'Anethan, institutional sales manager at crypto services provider Eqonex believes that Crypto.com will likely opt to pay users back with its own capital: "All the investors will probably be made whole [since] the company can afford it."